Work from Home

An Application and Identity Management Guide

Background

SaaS is exploding. Unless you live on Mars this is a pretty obvious statement! But what isn’t perhaps as obvious is the gaping hole this explosion is causing in your IT security posture. In many organizations Active Directory (AD), which used to control all access to company resources, now only governs 20% of applications while 80% of a user’s application load comes from a 3rd party like Salesforce.com or Concur.

That also means IT is no longer the linchpin to get applications up and running. If a user or group of users want to share files, they can have an app up and running in 5 minutes with a credit card. Similarly, when internal applications are not easy to use, the workforce is finding they now have the power to go out and sign up for tools on their own.

IT is struggling to provide users with the flexibility to get tools the way they want them, while also trying to get their arms around provisioning, usage and de-provisioning.

Identity and Access Management Defined…(Loosely)

It’s important to define these terms before we dive into these 2 distinct functions within an IT security framework.

Identity Management – This refers to the process of assigning and then managing the attributes of a user. Who are they, what groups they are a part of etc. For example, “This person is remote, part of the Marketing functional area”, and so on.

Access Management – This refers to the process of taking the above identities, or groups of identities, and deciding what IT resources they have access to.

These terms are very closely related and often are used interchangeably. This is likely due to the fact that traditional IT environments where corporate assets have been housed internally have utilized Active Directory (AD) to address both of these dynamics. Basically, who you are and what you can access?

However, with the explosion of SaaS, AD isn’t able to perform these functions by itself any longer.

Identity Management

Solutions for identity management can be segmented into 2 buckets:

Here are a few of the options:

Traditional AD – Companies not yet “cloud-enabled” are using this tried and true structure, whether hosted on-premises or in some sort of private cloud environment. It works great, it’s robust and very familiar and easy to manage. But, it’s lacking when companies start venturing out to SaaS applications and identities must be created and maintained at these providers individually; it’s extremely time-consuming for IT to create, manage and audit.

Directory as a Service – Seriously … another DaaS?? In all seriousness, these are purpose-built solutions hosted by 3rd parties specifically for managing user identities. They are often built to integrate with other cloud solutions like SaaS applications. A great example of this would be Azure AD which is very popular. Mostly due to the fact it’s given away for free in some instances. These are great for companies that are completely “cloud-enabled” but they aren’t built upon full-blown AD. So, companies that have any legacy infrastructure that requires full AD must maintain both. And while these two can integrate with each other, it can only be managed using the full AD instance as opposed to the cloud directory instance since that’s the scaled-down version.

Access Management Identity

One of the key tenants of Access Management is (Single Sign-On) SSO. According to LastPass, users at large organizations of 1,000+ firms have on average 25 sets of credentials – and the number skyrockets inside of smaller firms – due to all the different legacy and SaaS applications they are using to do their job. SSO is a way to try and reduce the number of credentials a user must remember in order to do their job. It also serves as a central “choke point” to combat the age-old yin and yang battle in the security space of productivity and efficiency versus enforcing corporate controls.

What is SSO?

This is best described by example:

When using SSO, a user logs into a central portal at the beginning of their day. From there, based on their identity, tiles will appear to their corporate SaaS applications. They click on each application like Office 365, Salesforce, Concur, etc. and are granted access into those applications without having to login again.

For these integrated applications the portal is passing a token to the SaaS application and verifying that the user is allowed access. Think “Sign in with Facebook” as a consumer example. Facebook says ‘you’re good’ so whatever application you’re trying to get into trusts Facebook’s opinion of you.

How Does SSO Work?

Almost all the major players are using a technology called SAML to make this work. We’re not going into a dissertation on what this is – that’s what Google is for if you’re curious to dive deeper. Essentially there are two main components:

1. For SaaS applications that are integrated using SAML, users have no idea what their actual password is because they don’t have a password anymore. Similar to the Facebook example above, the SSO provider has verified your identity, often times with multiple factors, known as multi-factor authentication (MFA) and then decided that you should be granted access based upon your identity.

2. Almost all SSO providers are on par since they’re all “speaking the same language”. So, if a SaaS Application is using SAML, everyone can integrate with the service. If the application isn’t using SAML, no provider will be able to natively integrate with it. But all hope is not lost for applications that aren’t yet up to speed on SAML, there are some options to make things easier for IT and the users.

Why Use SSO?

From the user’s perspective – you’re providing them with one place to login and then allowing them to access other applications by authenticating to the initial site and being passed along as a trusted user. There’s a tremendous benefit to the end-user and the efficiency they gain while reducing their exposure to forgetting passwords and having to perform multiple logins throughout the day. But it goes much deeper than just password management.

From the business’ perspective – There are 3 main areas to focus on:

1. Security – Based on the LastPass data earlier, SaaS just expanded the threat vector, on average, 25-fold when it comes to credentials. Which means 25 more ways for a user (the most vulnerable part of your defense mechanisms) to be compromised. SSO brings that back down to one set of credentials. Additionally, Shadow IT, the use of unauthorized SaaS solutions, represents a major Trojan horse threat to the organization as these applications are used without IT’s knowledge and the enforcement of best practices. By providing an extremely efficient and better user experience, IT is making it easy for users to abide by the solutions that have been blessed by IT and deterring them from going outside corporate standards to (in their eyes) just get their job done.

2. Reduce Help Desk Tickets – Time and again when surveying our customers, password resets are the #1 or #2 source of help desk tickets. It’s also been reported that every helpdesk ticket costs an organization $70 to complete! Every time a SaaS application is added to the mix, it’s one more reason to generate a password reset ticket. Some SSO providers provide the ability for the user to self-administer password resets which virtually eliminates this source of tickets.

3. De-provisioning – There are two factors that come into play when looking at the offboarding or de-provisioning process. First, from a security perspective, IT has to figure out what applications a user had access to when they were onboarded and disable them. Next, they have to figure out what applications the user gained access to throughout their tenure and disable those. This points back to identity management and what’s known as identity scope creep. As a user is moving from one functional area to another are their rights from the prior area revoked or are access rights just added to their identity? Hopefully, they find them all. In an amicable parting of ways, this isn’t as big of an issue. But in a negative or sensitive situation, it could represent a major security risk. Secondary to the security considerations, the process of actually going to each SaaS application and deprovisioning the user individually is a resource intensive process.

What If My SaaS Application Doesn’t Support SAML?

Luckily the SaaS industry is tuned into the SSO movement and most new and updated apps are using SAML today or working feverishly to get there. Frankly, the ability to use SAML to integrate should be one of the key decision criteria businesses use to evaluate SaaS solutions.

For applications that aren’t SAML enabled, some providers are offering a way to cache credentials in their portal. What this means is that the user will enter their credentials manually into the portal and then, when they click on that app, the portal will manually input their cached credentials.

This is not nearly as seamless, but it does provide the user with the SSO experience they are looking for to make their lives easier and continues adherence to corporate standards and solutions. It’s also important to note that some solutions don’t offer password management tools at all, letting the user continue to store them in Excel, on sticky notes or “somewhere else.”

What Is IAM Orchestration?

Luckily the SaaS industry is tuned into the SSO movement and most new and updated apps are using SAML today or working feverishly to get there. Frankly, the ability to use SAML to integrate should be one of the key decision criteria businesses use to evaluate SaaS solutions.

For applications that aren’t SAML enabled, some providers are offering a way to cache credentials in their portal. What this means is that the user will enter their credentials manually into the portal and then, when they click on that app, the portal will manually input their cached credentials.

This is not nearly as seamless, but it does provide the user with the SSO experience they are looking for to make their lives easier and continues adherence to corporate standards and solutions. It’s also important to note that some solutions don’t offer password management tools at all, letting the user continue to store them in Excel, on sticky notes or “somewhere else.”

Integrated Remote Workspaces – A Better Solution

As BYOD, remote work and work-from-home have shifted businesses away from internally hosted server solutions in favor SaaS applications, Evolve IP has pioneered an offering that meets the demands of how users want to work, with the best way to secure the enterprise; all while enabling access to both legacy and SaaS applications.

SSO, MFA, and AD Together as One – Evolve IP’s Clearlogin SSO portal greatly enhances an organization’s security posture by providing users with just one set of credentials. Evolve IP then layers multi-factor authentication into the offering to enhance security even further. We then take it a step further and host customer AD environments within our HITRUST, PCI and SOC compliant data centers.

Clearlogin delivers full-fledged identity and access management frameworks and with additional security features such as “full lockout” which detects compromised accounts at a single credential challenge point and proactively locks those accounts down. If we hear someone at your back door, we’re going to proactively lock all your doors and windows thwarting would-be attacks.

Legacy Applications – Remember the legacy applications mentioned above? Evolve IP can provide these applications to users as a tile making it perform and feel like a SaaS application. And, if users require a desktop OS delivered to them, users can access that desktop as a tile inside the browser making the solution completely portable to any device. While SaaS is now the dominant way to access applications our surveys of mid-market and enterprise businesses show that about 50% of apps are still hanging out in the data center; and that’s a real risk, or a real pain in the neck, for IT in work from home scenarios.

User Adoption – Because Evolve IP’s SSO solution includes both SaaS and legacy applications users are more likely to fully adopt company standards and not engage in shadow IT behaviors as the corporate way is just easier – and they still get what they need. Users are also given full self-service password maintenance capabilities which means they no longer have to wait on tickets to be opened with IT.

IT Efficiency – Some estimates have a single password reset costing upwards of $70 per incident. IT will eliminate the #1 or #2 source of help desk tickets while users will be deprovisioned from all legacy and SSO integrated SaaS applications with one click freeing up IT resources for more value-creation activities within the enterprise.

Conclusion

During the novel coronavirus outbreak, an estimated one-third of the world’s population was told to stay home and stay safe. For typical employees, working from home was challenging but manageable; they had their SaaS apps and a collaboration tool and were able to make do. But for IT, this heightened an already difficult situation. Home networks and devices were unsecured, helpdesk tickets went through the roof, and many users were unable to access vital on-premises applications living in a very lonely corporate data center.

An integrated identity and access management program that delivers all of a business’ SaaS and on-premises applications in a single Web portal is the answer. Check out a demo of that solution here: www.evolveip.net/workspaces

Why Business Choose Evolve IP

Evolve IP enables people to Work Anywhere™, more productively, more securely and with less dependence on IT resources. We design Purpose-Built® solutions, tailored just for your business, that unify workspaces, collaboration and communications, and contact centers. Integrating blue-chip technology partners like Microsoft, Cisco, Citrix, and VMware, with our intellectual property, Evolve IP’s analyst-acclaimed solutions have been deployed globally to 500,000+ users and into the world’s most well-known brands. All Evolve IP associates are focused on driving successful client outcomes and that has resulted in our scoring at the top of verified analyst and client satisfaction rankings.

Recommended For You

The Evolve IP Compliance CloudTM

Compliance is a way to do business … not an afterthought when clients need it.

At Evolve IP we have a dedicated compliance and security practice and work with two of the world’s top 3rd-party compliance auditors, Grant Thornton and Ernst & Young, to enable customers to extend their compliance to our fully audited cloud. This focus allows us to deliver the documentation and assurances that other’s simply cannot including HIPAA / HITRUST, PCI-DSS (all 12 sections), SOC 2/3 and more. The Compliance CloudTM includes true client isolation, encryption in transit and at rest, private VLANs, firewalls and dozens of other security measures.

What Our Clients Say

"Yesterday was, perhaps, my busiest day of client interaction either by phone or email since I have been a PM, and I don’t think any of my clients knew I was working from home unless I told them. I was also able to do trades behind the scene and interact with my team. So, for me, the technology has been working great. As an old guy, I am constantly dazzled by technology in general, but being able to do this stuff from home is amazing!"

James C. Hunter, CFA, CFP, AIF, Senior Portfolio Manager, Principal

"Hey, IT people, As I’m working away in my home office, I just wanted to say thanks to you for all you’re doing, and have done in the past, to make it possible for us to run our company virtually. Not many of us JICers have jobs that everyone in the firm sees and could stop us from doing business. But you have this job, and do it well. Thank you for having the foresight and wisdom to get us in a position to succeed in a pandemic! You’re awesome."

Michael D. Barnes, Esq., CTFA President, Principal

“That’s the type of proposition I like to bring to a Board of Directors. When I can say, ‘we can get everything new, be completely redundant, it can meet all of our needs and oh, by the way, we are going to save over $300,000 a year.’ It makes it easy for me to sell!”

"The people that Evolve IP are more personable; you don't feel like there's necessarily a script when you're talking with them, they’re easy to understand, quick to get a hold of, and they follow through on what they say they're going to do."

HITRUST

Evolve IP is proud to have achieved the honor of being HITRUST CSF certified! Certification to the HITRUST Common Security Framework (CSF) affirms that all of Evolve IP’s cloud computing and cloud communications services adhere to the strictest security standards for electronic protected health information (PHI). The HITRUST security standard was developed by and for the healthcare industry as a means of going above and beyond the compliance requirements of HIPAA.

The HITRUST Common Security Framework (CSF) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. The HITRUST CSF was developed by healthcare and IT professionals to provide an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. An important part of the “What is HITRUST” answer is understanding that the CSF is risk-based and compliance-based so that organizations can tailor the security control baselines and vendor management programs that they follow based on their specific organization type, size, systems, and regulatory requirements.

HIPPA

The Privacy regulations of the U.S. Health Insurance Portability and Accountability Act (HIPAA) require health care providers, organizations, and their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI — paper, oral, and electronic, etc. Those who fail to adhere to HIPAA can suffer from huge fines climbing into the millions of dollars for major violations.

The Compliance Cloud™ fully enables covered entities and their business associates subject to HIPAA regulations to leverage a secure environment to process, maintain, and store protected health Information (PHI) featuring among other controls.

SSAW 16 Service Organization Control II (SOC 2)

Evolve IP has received an SSAE 16 SOC 2 Type II report on our internal controls relating to how we assess and address the potential risks associated with the security, availability, and confidentiality of not only the cloud-based services that we provide, but also our physical and logical infrastructure. Evolve IP utilizes the Certified Public Accounting firm of Grant Thornton to perform its annual audit and attestation in accordance with the Statements on Standards for Attestation Engagements No. 16 and the associated Trust Services Principles, as published by the AICPA, to evaluate the effectiveness of Evolve IP’s service organizations controls.

Forbes

While Forbes regularly features coverage and recognition about Evolve IP, they've most recently recognized Evolve IP as being the "Best Cloud Computing Companies And CEOs To Work For In 2017". They've ranked Evolve IP in the Top 3 just behind Google and Microsoft in the Cloud Infrastructure classification. (Feb 2017). Forbes also recently recognizes Evolve IP for bringing Singer Equipment Corporation, a mainstream business based in PA, into the cloud by means of unified communication. (Sept 2017). Last year, Forbes recognized Evolve IP's survey of 1,080 executives citing that the number one reason to go to the cloud is the same reason that it is avoided. (Mar 2016).

Unified Communications Product of the Year

TMC and Internet Telephony Magazine have named Evolve IP’s unified communications platform as a 2017 Unified Communications Product of the Year Award winner. This marks the 6th time Evolve IP has been honored with this prestigious award and follows a series of product innovations that have allowed the company to rapidly expand its international coverage.

Evolve IP’s business collaboration tools and IP phone system dramatically improve employee productivity in the office and on the road with a Unified Communications as a Service (UCaaS) platform that fully integrates voice, video, instant messaging & presence (IM&P), desktop sharing, audio/web conferencing and more. The company also provides a sophisticated Web-based management portal, OSSmosis®, that allows administrators to easily configure system functions and quickly modify users without the need to reach out to a third party for changes.

Inc.

Inc. magazine has recognized Evolve IP in the 34th annual Inc. 500|5000, an exclusive listing of the nation's fastest-growing private companies. The list will be unveiled in the September issue of Inc.

The story of this year's Inc. 5000 is the story of great leadership. In an incredibly competitive business landscape, it takes something extraordinary to take your company to the top," says Inc. President and Editor-In-Chief Eric Schurenberg. "You have to remember that the average company on the Inc. 5000 grew nearly six-fold since 2012. Business owners don't achieve that kind of success by accident.

Payment Card Industry Data Security Standard (PCI DSS)

Evolve IP has achieved Payment Card Industry (PCI) Data Security Standard (DSS) compliance covering all 12 sections of the PCI DSS. The PCI data security standard is a comprehensive set of standards that require merchants and service providers that store, process, or transmit customer payment card data to adhere to strict information security controls and processes. It was created by the founding brands of the PCI Security Standards Council, which includes American Express, Discover Financial, JCB International, MasterCard Worldwide, and Visa Inc.

CSA STAR

Evolve IP is also a registered and participating member of the CSA Security, Trust & Assurance Registry (STAR). The CSA was formed to encourage transparency of security practices within cloud providers. It is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CSA STAR is open to all cloud providers, and allows them to submit assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.

Deloitte’s Technology Fast 500TM

Evolve IP has been ranked for the second consecutive year on Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America – both public and private. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2012 to 2015. The list is a veritable Who’s Who of technology that has included tech companies like Google, VMware and Facebook.

Technology Fast 500 provides a ranking of the fastest growing technology, life sciences, and energy the companies – both public and private – in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth during the period from 2012 – 2016.

Red Herring

Red Herring has named Evolve IP as one of the Top 100 Companies in North America. Red Herring’s Top 100 recognizes the leading and most promising private companies from around the world. Among the over 20 criteria used to analyze companies for the award, Evolve IP was noted for its financial performance, technological innovation, customer footprint, the DNA of its founders and addressable market.

Red Herring selects the award winners for North America from approximately 1,200 privately financed companies each year in the US and Canada. Since 1996, Red Herring has kept tabs on these organizations and its editors were among the first to recognize that companies such as Facebook, Twitter, Google, Yahoo, Skype, Salesforce.com, YouTube, Palo Alto Networks and eBay would change the way we live and work.

Entrepreneur

Evolve IP has been recognized as one of the “Best Entrepreneurial Companies in America” in Entrepreneur magazine’s Entrepreneur360™ Performance Index, a study involving a comprehensive analysis of private companies in America. Based on this study forged by Entrepreneur, Evolve IP is recognized as a company that exemplifies growth, not just in top and bottom line, but in sustainability and the ability to achieve lasting success.

According to Entrepreneur, after evaluating approximately 10,000 U.S. based firms, the team of editors and researchers behind the E360 Performance Index collected more than 250 pieces of data from the finalists, focusing on growth drivers and challenges, goal setting, resource allocations, and reward systems. The analysis uncovered a class of leading companies, including Evolve IP, whose continued success is largely based on superior value creation for their customers, building an adaptive learning culture, and aggressive geographic expansion—placing them amongst the most dynamic firms in America today.